Breaking: Polymarket Data Mess – 300K Records and a Cyber Mischief Kit on Display!

by
Ah, the sweet scent of chaos wafting through the digital ether! On the fateful day of April 27, 2026, our beloved Polymarket found itself entangled in an unsavory affair involving a breach so extravagant, it could have been scripted by the finest playwrights of absurdity.
The nefarious actor, who goes by the charming alias “xorcat”-a name that rolls off the tongue like a ballad of mischief-deigned to grace a cybercrime forum with the lavish gift of over 300,000 leaked records. One might wonder how such a calamity unfolded, and, dear reader, allow me to elucidate: it appears our friend xorcat exploited some rather unfortunate weaknesses in Polymarket’s API, akin to discovering a door left ajar in a supposedly secure mansion.
And what of the noble guardians at Polymarket? Alas, they remain shrouded in silence, despite Crypto Times’ valiant attempts to extract an official statement from their fortress of quietude.

In a plot twist befitting a novel of intrigue, this prediction market platform now finds itself embroiled in a scandalous saga of data exposure. As if the universe conspired to provide us with a cautionary tale, xorcat has boldly claimed to have unleashed not merely a dataset but an entire exploit kit upon the unsuspecting public.

The leak, heralded by none other than Dark Web Informer via an X post (because who needs discretion when you can broadcast your exploits?), attributes this calamity to the aforementioned xorcat. Our protagonist extracted this bounty using undocumented API access points, a clever ruse that would make even the most seasoned hacker blush with pride.

‼️ Polymarket, the decentralized prediction market platform, has allegedly been breached, with 300,000+ records and an exploit kit leaked on a popular cybercrime forum. The actor states Polymarket has no bug bounty program and was not notified.

‣ Threat Actor: xorcat
‣…

– Dark Web Informer (@DarkWebInformer) April 28, 2026

Crypto Times, with a gallant heart, reached out to Polymarket, seeking the truth behind this alleged attack, yet has been met with the echoing silence of unresponsiveness-an apt metaphor for our times, wouldn’t you agree?

The Artistry of the Alleged Data Leak

The dramatics continue! Our so-called leak is reported to contain a staggering 750 MB of tantalizing information, meticulously compressed into smaller JSON files-because who doesn’t love a little digital origami? This treasure trove spans user profiles, activity logs, and market data, all intertwined in a tapestry of numerical and textual delight.

Among the jewels of this exposed data are approximately 10,000 user profiles, replete with names, pseudonyms, bios that could rival Shakespeare, profile images suitable for a gallery, and wallet-linked addresses-a veritable feast for anyone hungry for personal information. Furthermore, thousands of comments tied to these accounts, along with meticulous records from Gamma and central limit order book markets, whisper secrets as they mingle with event-level data containing Ethereum addresses and internal usernames.

The dataset also proffers additional treasures: follower relationships that could rival the complexities of a Greek tragedy, reward configurations linked to USDC contracts, and internal identifiers nestled comfortably within metadata fields, as if they were hiding from the inevitable scrutiny.

The Ingenious Exploit Kit and Its Technical Marvels

Xorcat, in a display of technical bravado, claims to have orchestrated this grand theft by exploiting multiple vulnerabilities in Polymarket’s API. These include:

  • The use of undocumented endpoints across Gamma and CLOB APIs, because why stick to the rules?
  • A pagination bypass allowing copious data pulls without the pesky hindrance of rate limits-imagine a buffet where you can eat as much as you want!
  • A Cross-Origin Resource Sharing (CORS) misconfiguration enabling requests from any origin, like granting a key to the castle to the village rogue.
  • Unauthenticated endpoints exposing comments, reports, and follower data, akin to leaving your diary open on the dining room table.

But wait, there’s more! This package of delights allegedly contains proof-of-concept exploits, complete with scripts designed to automate data extraction like a well-oiled machine until the vulnerabilities are patched-if ever.

Vulnerabilities Referenced: A Tale of Woe

The disclosure references a cornucopia of known weaknesses, including an Axios-related proxy bypass, server-side request forgery, and a middleware authentication bypass that would give any Next.js application a reason to weep. Insufficient validation on pagination parameters and exposed API routes that invite queries without proper access controls only add to the tragicomedy.

Moreover, this exploit package reportedly includes a structured report mapping the attack techniques to established threat frameworks, alongside additional data dumps that could fill volumes of academic tomes.

The Questions That Linger

Our illustrious threat actor asserts that no prior disclosure was made to the platform, coupled with allegations of a non-existent bug bounty program-an assertion that remains tantalizingly unverified.

As we stand at the precipice of revelation, no confirmed public response has emerged from Polymarket, leaving us to ponder the authenticity of the leaked data and the potential ramifications of this digital debacle.

The Broader Implications: A Call to Arms

If verified, this incident serves as a stark reminder of the perils lurking within API security on crypto-native platforms-especially those handling user-linked wallet data and the sprawling infrastructure of vast markets. The exposure of both user profiles and market mechanics raises serious questions about privacy, platform integrity, and the potential for nefarious misuse of on-chain and off-chain data connections.

Read More

2026-04-28 22:44